问题:大约 1% 的请求是“SSL 握手失败”。它们不是来自任何特定来源。
图案:我通常会在客户端快速发出过多请求时看到问题。尽管有时单个请求也会发生 SSL 握手失败。
问题:我想知道我的配置是否有问题,或者 1% 的失败率是预期的/正常的,或者客户端出了问题,也许他们使用了错误的 TLS 版本等。我知道 1% 听起来很小,但以我们目前的流量来说,1% 每天超过 20,000,000 次点击。
设置:
操作系统:Debian 9
HA-Proxy 版本:1.8.19-1~bpo9+1 2019/02/12
SSL 由 haproxy 提供服务,两个后端负责数据处理。它们不是 Web 服务器。
配置中的重要部分:
global
nbproc 1
nbthread 40
cpu-map auto:1/all 0-
maxconn 400000
...
defaults
defaults
log global
mode http
option dontlognull
option redispatch
option forceclose
option forwardfor
retries 5
timeout connect 100
timeout queue 5000
timeout client 100000
timeout server 100000
maxconn 25000
ssl-default-bind-options no-sslv3
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
tune.ssl.default-dh-param 2048
...
listen app1-https
option httplog
bind xx.xx.xx.1:443 ssl crt /path/to/ssl/certname.pem
listen app2-https
option httplog
bind xx.xx.xx.2:443 ssl crt /path/to/ssl/certname.pem
...
日志(grep -i 握手)
Apr 1 09:18:54 loadbalancer haproxy[14141]: 115.132.xx.xx:9225 [01/Apr/2019:09:18:54.373] app1-https/1: SSL handshake failure
Apr 1 09:18:54 loadbalancer haproxy[14141]: 102.250.xx.xx:50122 [01/Apr/2019:09:18:39.314] app2-https/1: SSL handshake failure
Apr 1 09:18:54 loadbalancer haproxy[14141]: 180.102.xx.xx:31197 [01/Apr/2019:09:18:54.134] app1-https/1: SSL handshake failure
Apr 1 09:18:54 loadbalancer haproxy[14141]: 49.14.xx.xx:34075 [01/Apr/2019:09:18:54.446] app1-https/1: SSL handshake failure
Apr 1 09:18:54 loadbalancer haproxy[14141]: 172.58.xx.xx:44834 [01/Apr/2019:09:18:43.858] app1-https/1: SSL handshake failure
Apr 1 09:18:54 loadbalancer haproxy[14141]: 115.164.xx.xx:31818 [01/Apr/2019:09:18:40.680] app2-https/1: SSL handshake failure
Apr 1 09:18:54 loadbalancer haproxy[14141]: 41.190.xx.xx:15014 [01/Apr/2019:09:18:54.809] app1-https/1: SSL handshake failure
Apr 1 09:18:54 loadbalancer haproxy[14141]: 49.35.xx.xx:62348 [01/Apr/2019:09:18:50.541] app2-https/1: SSL handshake failure
Apr 1 09:18:54 loadbalancer haproxy[14141]: 49.35.xx.xx:62353 [01/Apr/2019:09:18:50.541] app2-https/1: SSL handshake failure
Apr 1 09:18:54 loadbalancer haproxy[14141]: 49.35.xx.xx:62352 [01/Apr/2019:09:18:50.541] app2-https/1: SSL handshake failure
Apr 1 09:18:54 loadbalancer haproxy[14141]: 49.35.xx.xx:62337 [01/Apr/2019:09:18:50.518] app2-https/1: SSL handshake failure
Apr 1 09:18:54 loadbalancer haproxy[14141]: 49.35.xx.xx:62351 [01/Apr/2019:09:18:50.543] app2-https/1: SSL handshake failure